Giving Up Passwords For Chocolate 710
RonnyJ writes "The BBC is reporting that, according to a recent survey, more than 70% of people would willingly give up their computer password in exchange for as little as a bar of chocolate. Over a third of the people surveyed even gave out their password without having to be bribed, and most indicated that they were fed up with having to use passwords."
Wait a minute (Score:5, Insightful)
So people can just make it up.
Yes Mr "Researcher" if offered chocolate 79% of people can think of a random word.
Big deal,
John.
does this surprise anyone? it's not a fingerprint! (Score:5, Insightful)
this, i think, is a big problem and the onyl way to solve it is to re-educate people for them to understand that such a password is important and should not be shared. clearly an alternate solution would be to install fingerprint scanners on all computers (a viable option in the future), but that would not help overcome the erroneous attitute towards computer security. in fact, such scanners would work well as again people are used to the fact that their fingerprint makes them unique and should not be "shared".
finally, this will be an important concern in the future: already we are able to shop online and the future where all transactions go via the internet is near. one account (a la
Sad but true... (Score:4, Insightful)
Comment removed (Score:5, Insightful)
Re:Wait a minute (Score:5, Insightful)
Depends what type of password they're asking for. I can imagine my boss giving up some of his real passwords for a bribe because he thinks "big deal... that one's not protecting anything sensitive anyway". Except, that comes down to him not understanding that whole "weakest link in the defenses" problem. Yea, maybe THAT password isn't, but what does that give a malicious user access to that could be abused elsewhere? What apps level attacks are we now vulnerable to? What databases could be stolen? Could the attacker now impersonate you to get more information from other people?
Management and business types, and of course home users, don't think security is a big complex model. They think "oh, we have a firewall... we're safe" and that's the end of it.
Re:Scope of article (Score:3, Insightful)
back when i was a sysadmin i once ran a test: we had asked all users to use DIFFERENT password for the 2 NT machines we had and all the other linux workstations. i started cracking passwords on the linux box and found some after 48h (~5% of user passwords). then i used L0phtcrack (awesome tool!) on the NT machine and had about 45% of the passwords after 24h. guess what: from those 45% about half worked also on the linux boxes...
But in the geek world the real thriller is.. (Score:2, Insightful)
Re:Passwords and memory (Score:5, Insightful)
The key is to make them memorable, pronouncable non-words. You can do this using passwdgen on linux. Just set it to the number of characters, add the "pronouncable" switch and - optionally - the "non alphaneumeric characters" switch and you'll have something that is very secure yet easy for YOU to recall.
Further, what a bunch of whiney fucks. "Boo hoo, I have to use passwords. Boo hoo, I have to use a key to open my car door, house, bank deposit box, home safety, glove compartment, trunk. Boo hoo, I have to turn the knobs on doors and open them before walking into a building or home or car."
Come on people.
Re:A big problem... (Score:5, Insightful)
The problem is, the vast majority of people who work here are either academic researchers, who are used to open collaborative discussion and find passwords inherently distasteful, or administrative workers, who, while they may be very dedicated civil servants, find the different password systems for email, LAN logon, timesheets, billing, contracts, grants, etc., to be tedious at best and bewildering at worst. Since they are not allowed to have the same universal password, for obvious security reasons, nor is that password allowed to be a recognizable English phrase, they have a great deal of difficulty memorizing each one.
Add in the fact that each password must be changed every six months at a minumum (monthly for some systems) and that passwords cannot be repeated for five cycles, and that's as many as fifty or so passwords over the course of a year for some administrative officers. That's a lot to ask, even for someone with a technically-oriented mindset.
Recognizing that writing them in a booklet next to the desk- or lap-top is a problem, many offices have taken to writing them down inside a lockbox.
Biometrics may help, but if our physical plant is any evidence, we'll be ten or so years behind the curve getting such systems installed.
Re:Break their fingers (Score:3, Insightful)
think about it though (Score:2, Insightful)
Re:This doesn't surprise me at all... (Score:3, Insightful)
Recently I've been asked by "tech support" for some stupid websites for my username AND password. Does someone here know a site that explains the CONs about this?
One holds my employee's salaries and such. I'm perfectly happy that the support people can access that if they need to. The system can then log "helpdesk-Tom" accessed XYZ's financial data, and get possible problems after that figured out. If I give him my password, it'll look as if I used some stupid dialup with my password, and it's my word against their logs that it wasn't me....
The other case would have allowed the helpdesk guy to order goods in my name. Volume two of the catalog is over 2000 pages. Volume one is less thick (and currently not on my desk). To give you an idea about how many products he'd be able to chose from.....
Re:Use Password Functions (Score:4, Insightful)
It sounds funny to the geek, who prides himself on the security of his passwords and winces every time his wireless provider asks him to say his password over the phone. h-d-asterisk--
"Asterisk?"
Yeah, hit shift-8. h-d-asterisk-captial-l-capital-v-lowercase-b-clos
Re:does this surprise anyone? it's not a fingerpri (Score:4, Insightful)
Passwords are used in part becuase of history, but mostly because they work and can be changed.
"Sir, your bio-passport is invalid due it being compromised. No, I'm sorry, sir, you cannot get a new one. No, not ever."
This is news? (Score:5, Insightful)
Re:Wow... I mean... wow... (Score:1, Insightful)
Once upon a time I was an advocate of regularly changing passwords, but not anymore.
Re:A big problem... (Score:4, Insightful)
Re:Passwords and memory (Score:2, Insightful)
Re:Passwords and memory (Score:5, Insightful)
As we learned in Econ 101, it probably comes down to value. Most people do not ascribe value to computer security; they see it as "something the IT guys make us do." Example: walk into any small shop and check out their security. It has been my experience that all passwords are taped to the monitor more times than not, or you can just ask the admin for them.
On the other hand, people ascribe much more value to the security of their home and/or car.
Re:does this surprise anyone? it's not a fingerpri (Score:2, Insightful)
And dealing with the fingerprint issue... The Reg [theregister.co.uk] just had a write up about it...
Nephilium
Because people have been doing security wrong (Score:5, Insightful)
Passwords came into popularity a long time ago. Things that have changed since the introduction of the password:
* Many people have accounts on many, many systems (thanks to websites with accounts).
* Users on such systems may not be primarily benevolent -- on a UNIX box used by a small bunch of researchers in the early 80s, a password may be an acceptable barrier to anyone poking around. A password on eBay, on the other hand, may be of interest to a number of less savory characters.
* The ability to attack systems has significantly increased. Internet accessability means that remote, hard-to-trace attacks are more common. A brute force attack on a computing system physically isolated in a building may be simply infeasible, and choosing "cheese" as a password may be perfectly acceptable -- such a thing is no longer reasonable.
* Computing power is much greater now. Attacks on password hashes (including those sent over the network) are much more feasible. The relative strength of passwords to CPUs has decreased logarithmically.
* Many systems require passwords frequently. If you are a defense contracting employee, you might have only needed your password once when walking in the door in the morning and once after lunch. Now, corporate intranets have passwords, Yahoo has passwords, Slashdot has passwords, eBay has passwords, etc. Many of these require passwords multiple times a day (or, if they have an option to cache a password, do not have sufficient data about the client side to know how long it is safe to continue to cache the data).
* The demographic of password users has changed. Almost everyone has many passwords now -- not just a couple of engineers or scientists, or the occasional person with an ATM PIN.
What I Suspect Needs To Be Changed
A couple of things that probably need to change:
* It needs to be standard (and have a common interface for doing so) for users to be able to delegate a subset of their authority. Few systems currently have authorization systems smart enough to allow users to delegate chunks of their power to other users for a short term (and audit any moves). This needs to be simple, *easy*, and secure. If Sharon wants to let Bob purchase something online and charge it to her credit card account, she needs a quick and easy way to say "I authorize Bob to spend up to $500 in the next week and charge it to my credit card." That could be via her cell phone or on a computer. Most systems should have at least several forms of authorized actions that can be delegated to other users that require no more than entering a limit on the degree of the actions taken. A list of actions that other users have taken with that authorization should also be easily visible.
* Where feasible, passwords should be replaced by smartcard/PIN combinations. It's easier to remember a four-digit PIN than a long, secure password, and for anyone that doesn't have physical access to a user's smartcard, the strength of the token on the card is much greater than that of a password. Currently, this is particularly disasterous in the form of credit card information. Currently, many vendors store full credit card information used in purchases in databases. If any such database is compromised, authentication data providing full access to money accounts is granted the compromiser -- this is, frankly, insane. Credit card providers have one effective line of defense against a compromised card -- they do statistical analysis against purchases, which isn't the most reliable method of dealing with such attacks, and requires intense monitoring of anything users do -- producing a strong disincentive to provide users with privacy. (I realize that there are a few attempts at improving t
Re:I weep for the future. (Score:5, Insightful)
I know you mean this as a joke, but I want to take a second to remind people why biometric authenticaion is stupid:
When you're using somrt sort of key/password, you want it to meet the following criteria:
Many of the best security systems rely on "something you know and something you have". This means that there is a physical object, and some sort of password.
Biometrics are stupid because they rely on the secrecy of something like your fingerprints, which you leave on everything you touch. They're just not secret. And they're not changeable once the secret is out and the bad guys have your fingerprints.
It makes me cringe every time I hear about biometrics being used as a substitute for passwords, credit card numbers etc. [slashdot.org] What happens when I get a copy of your fingerprint (using a only piece of tape and some talc)? I can go around making purchases as you, and it's not exactly like you can cancel your fingerprints and get new ones.
The only place biometrics really shine are the times when the person doesn't WANT to be identified. You kinda have to carry your fingerprints around with you. For everything else, they suck.
I would much rather fork over my credit cards at gunpoint than be kidnapped or have my fingers chopped off.
Re:Passwords and memory (Score:5, Insightful)
True, but does turning a key force you to remember a complex stored memory? Nope.
Re:A big problem... (Score:3, Insightful)
Usernames and passwords do nothing to authenticate someone. All they mean is that someone knows a username and password. Besides being a lowsy way to authenticate somebody, passwords are a pain in the ass. Everybody has different rules for having a "good password" , they expire at different times, and it seems as though every website now requres a username and password to buy something, or read extra content, or whatever. Its gotten so out of hand that I make up 99% of my username and passwords and redoit every time I go to the site.
Compare this to going to a physical place like a store or resteraunt. When you go to a bar or nightclub, does the doorman say, "Hey man, come into this room here, and fill out some forms. You must then think of a unique name thats not your real name, and please make a list of some random characters that should be different from every other nightclub that you go to, and remember both of these every time you come back here. Oh yeah, I need to see an ID too, because its the law that you have to be 21 to drink."?
If someone asked me to do this, I'd tell them to go to hell.
But this is OK to do this with computers? Why?
PKI [pki-page.org] is out there, been around for quite some time. There can be X.509 certs that have things like your age, address, etc, that has been issued by somebody with some form of verification process, and signed by that issuer. These certs can be used over and over again, and the information in them can be given to whomever asks. Wanna look at some free porn? Well, give me your cert field that says your over 18 please. No username, no password, and very little chance that little Johnny will have access to such a cert. Oh, and this cert can be stored on a credit card sized piece of plastic called a smartcard [faqs.org]. I have probably close to 10 credit card sized cards in my wallet, I bet you have a few as well.
Sometimes it amazes me how much different situations can be when a computer is involved. For example, how many other times in your life have you used a password besides on a computer? I can hear the tin foil heads saying that "Using an ID with a computer will violate my privacy!" Yet its completely volunary for you to give up the information either via filling out a form, or by showing an ID physically or electronically. Is anyones privacy any better with the current system?
I wonder how much longer its going to take before we get out of the username/password insanity.
Re:This doesn't surprise me at all... (Score:4, Insightful)
If you worked for me, you would not get an opportunity to do this a second time. Sanctioning the offender is fine, but costing the company 5 months worth of work is not.
Unfair survey... (Score:5, Insightful)
The survey should have also asked the following questions:
1) Please specify your major credit card number and expiration date.
2) Please specify your address, bank account number, and SSN (if it applied to citizens of the United States - otherwise insert THEIR form of special identification).
Would the numbers have coincided as to who revealed that particular bit of information? Absolutely not. The average person would see the risk in giving those pieces of information to a complete stranger.
If a direct association could be made between their Internet password and their money, those people would have guarded their password under lock and key. Why? Because the loss of money is readily understood, versus having to call an ISP and say "Someone hijacked my account."
Although people may be tired of using passwords (or PIN numbers), they are still a somewhat effective means of preventing improper access to their assets, be it Internet access, money, or personal information. The quality of the password is directly related to the importance of the stuff being protected.
The article cites that birthdates, pet names, etc. are common passwords. However, if someone applied the same level of protection on say...
Instead of asking that 16-digit number (an abstract version of a password), one were to ask "What is your credit card phrase?" Answer: "Buddy."
Instead of asking that expiration date, one were to ask "What is your age?" Answer: 30. These easy "passwords" would make is easier to make fraudulant charges on someone's account.
Public awareness of the importance of securing their own personal information is a key issue that needs to be resolved. Using an easy to understand analogy would be a good first step for those who are being surveyed.
Password Rules (Score:5, Insightful)
It irks me, because even if I wanted to use a completly different password for every login, there is no pattern or strategy I can follow to appease all of them.
SecurID! (Score:4, Insightful)
I wish I could use SecurID (or something like it) for everything. It would dramatically simplify my life.
Re:Ugh (Score:3, Insightful)
Honestly, who do you know that bitches and moans about having to use a separate key for both their car and house/apartment?
Nobody, because people can easily see the reason for this. That doesn't mean it's a great thing. Lots of people hide keys, in case they misplace one--near the door to their house, in magnetic boxes under a fender, under a rock, etc. A system that relies on the memory and presence of mind of average (or, frequently, above-average) people to maintain security is going to be crackable by social means--always has been, always will be.
It seems to me that the reason we can't just accept this and get on with it is they tantalizing possibility of a technical fix. But, every time that gets brought up for discussion, technocrats like you start crying that its not THEIR problem--even though it manifestly IS their problem. Apparently, human nature is so frustratingly scatterbrained compared to machines that we're going to spend all our time crying about what lazy idiots the (l)users are, rather than finding a way to use the machines to fix the problem.